Every other day, one business contact or the other tells me that they don’t use WhatsApp for sensitive discussions anymore, so to continue the conversation I need to move to Signal. Since I don’t have a big problem with such requests, I haven’t bothered to reflect too much on the trend. Until this afternoon, when another request triggered me a bit, and I thought, heck, let me just write a little piece on the subject.
It is easy for folks to confuse privacy, data protection, and secrecy/anonymity when it comes to modern digital technology. All these concepts are made all the more complicated by having multiple layers of legal and technical complexity.
One simple way to get a handle on the intricacies is to be clear about the “enemy” one is seeking said privacy, protection or secrecy from or against. Is it 1) friends and neighbors, 2) the general public, 3) the government, 4) the technology developer or 5) everyone?
I will tell you upfront: privacy from everyone is simply not a realistic option if one also intends to use digital technology. These is always someone else in the mix. Even apps like Threema that try to up the privacy stakes by emphasizing anonymity cannot be completely invisible to the telecom and datacenter networks through which users access them. So, let’s discard the “everyone” case without further probing. That leaves us with four main classes of “others” against whom one may reasonably seek to assert one’s wish for privacy or secrecy.
In the messaging context, however, there is a presumed openness to friends and others with whom one is engaged in conversation. We can take that category off the list too.
The filtration done so far leaves the following “enemies” on the privacy list: the general public, the government and the technology developer.
All three apps – WhatsApp, Telegram and Signal – are sufficiently well built and maintained enough to do a reasonably good job of making sure your chats go to only the people who they were meant for. Any unintended disclosure is more likely to be due to factors, such as human carelessness, rather than the quality of the specific app. The General Public criterion is thus also easily dismissed as a serious basis of comparison.
So, finally, we get to the meat of the matter. On the few times I have tried to understand the basis of the shift from WhatsApp to Signal or Telegram, a relatively small number of respondents have cited concerns about WhatsApp’s privacy policy and the fact that Facebook’s servers are used for the transport and storage of the data. That is to say, the main concern of this class of users is the conduct of the technology developer.
Facebook’s unpalatable reputation for commercial exploitation of data without due regard to user sensitivities clearly worries some African business folk in my circles. Signal, being a privacy-obsessed non-profit, clearly wins on that score against both WhatsApp and Telegram on the Technology Provider dimension.
The vast majority of my Africa-resident business friends who ask that we shift conversations to Signal are, however, concerned primarily about government intrusion. Especially also because once the government is at the tail-end of the surveillance chain, the risks on all other dimensions multiply. For instance, a Google vendor, Mitto, was found spying for governments without the knowledge of even senior employees, a growing theme in this murky world.
Businesspeople in Africa feel under siege from shadow states, plain extortion, ruling party paranoia about their funding the opposition, and competitors with links to the intelligence services. I find the anxiety about government eavesdropping strongest in East and Southern Africa, though some pretty hairy stories have been heard in Nigeria too. Interestingly, it is precisely in the context of privacy and secrecy where government is concerned that public misconceptions abound.
For instance, there is barely any logic in moving from WhatsApp to Telegram on privacy grounds linked to malicious government or organized hacker activities. Telegram uses an opt-in (non-default) encryption model for message traffic that it refuses to disclose for independent security analysis. Determined security researchers have shown nevertheless that its cybersecurity standards are somewhat looser.
Regarding WhatsApp versus Signal, the analysis is more nuanced and also more interesting. Some users may not even be aware that both apps actually use the same open-source encryption system: the Signal Protocol, which enables end-to-end encryption and perfect forward secrecy, and thus disguises the message from non-senders and non-recipients. The two companies are located less than 30 minutes from each other in the San Francisco Bay in Northern California.
In short, both Signal and WhatsApp are within the legal jurisdiction of the American government and have similar technology philosophies. In fact, the main early financier and co-Founder of WhatsApp is the current co-leader of Signal’s owner entity, and its interim CEO.
Some claims are usually made for Signal’s approach to end-to-end encryption and its implementation of the Signal Protocol for metadata protection (hiding not just the message content but also its critical characteristics like origin, destination and timing). Some argue that as a non-profit it is somewhat less amenable to American government pressure to insert backdoors or to deliberately weaken encryption in the name of national security or law enforcement.
Signal enthusiasts would normally frame such distinctions as done in the above table. How each of those supposed strong suits provide protection against determined US government intrusion is highly debatable. And there is already a growing citizen movement against encryption because of things like child trafficking that are changing the terms of the debate. Even as the US Government surreptitiously buys up and hold stakes in the encryption companies themselves.
But we need not dwell too much on the details here since few Africans in the category I am discussing are worried about US government surveillance or law enforcement overreach particularly. The overwhelming majority care more about surveillance by their own governments in Africa.
There is no evidence to show that WhatsApp will be more submissive to an African government’s request for backdoors than Signal. WhatsApp has put up a fairly valiant resistance in India to government demands. The economic case for capitulation is obviously stronger in India than in Africa. The case may nevertheless be made that Signal’s small size and lack of a Facebook-like global footprint should make it more impervious. But a counterpoint can work in Facebook’s favour: its vast resources can help it implement more complex legal and political shields in places like Africa.
At any rate, an African government interested in surveillance is less likely to proceed like the US government, India or China by seeking to enter into elaborate arrangements with tech giants for backdoor design and implementation. Most African governments simply lack the technical capacity to design those kinds of regimes. They are more likely to invest in cyber-offence tools and contractors, as some of them have done already. Tellingly, Bulgaria-based Circles, a spyware vendor steadily overtaking NSO in notoriety, has a third of its government clients based in Africa.
Advanced professional hacking tools and services from the likes of Israel’s NSO and the Anglo-German Gamma Group have also been traced to African surveillance operations. In fact, it is widely believed that Uganda’s attempts to hack the Apple phones of US diplomats in Kampala using NSO’s Pegasus are what caused the abrupt switch of US posture towards NSO from tolerance to hostility.
When it comes to tools such as Pegasus, the target is the phone’s actual operating system. Any malware that takes sufficient control over the operating system of a device could also steal the private keys downloaded from the platform and render any encryption vulnerable.
We know from the Jarett Crisler case that Signal message content and metadata can be extracted by US law enforcement agencies most likely through exfiltration of encryption keys by exploiting both phone operating system and hardware vulnerabilities. Indeed, at least one Israeli company openly boasts about giving law enforcement agencies the tools to bypass Signal’s encryption. With these vendors willing to do business with any government that will pay, the risks to privacy have metastasized from the policies and conflicts of the technology provider or its privacy commitment to pure commercial jungle warfare.
In short, there are many reasons why an African businessperson may wish to switch among the big messaging apps. Keeping the government’s long nose out of one’s business affairs is, unfortunately however, increasingly less tenable as a basis for choosing among the options available.